Equifax Confirms Another 'Security Incident'

Equifax says the two breaches are unrelated.

Sep 21, 2017

Just days after a cybersecurity breach at international credit reporting agency, Equifax, exposed the person information of 143 million people, the company has confirmed an additional security incident with a payroll-related service in the months prior. The company says the two breaches are not related.

"Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service," an Equifax spokesperson told NPR. "The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media."

Equifax is already struggling to gain trust after it waited at least a month to disclose to consumers that the cyberattack potentially impacted their personal information such as names, Social Security numbers, birth dates and addresses.

The company spokesperson says that the same company that investigated the first breach has already investigated what they are calling the "March event," and found that there is no evidence that these two separate events or the attackers were related.

It appears that, despite the company's naming on the event, the breach could have lasted for longer than a month. KrebsonSecurity reported that the Equifax breach happened over the course of nearly a year and "crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successful answering personal questions about the employees."

Equifax did not immediately confirm the details of the KrebsonSecurity article.